CryptoViki Ransomware

Detecting a ransomware infection every day is becoming a norm, and the CryptoViki ransomware is one of the detections of May 2017. The infection gets installed through spam emails, unreliable software distribution websites, and other channels spreading malware. There are many computer users that fall victims to cyber attacks and follow the instructions given by the attackers. If you are wondering whether to agree to the demand to pay a ransom fee, we strongly advise you against getting involved in this situation. All that you can do now is remove the CryptoViki ransomware and make sure that the system is protected against malware.

The CryptoViki ransomware encrypts data files in all connected disk drives. As a result, you are left with tens of inaccessible files. The infection is programmed to use AES and RSA encryption methods, which are commonly used by ransomware. Originally, the first method was used by the U.S. government to protect classified information and is now one of the methods to encrypt and protect sensitive data. This method is publicly accessible and preferred by banks, governments and security systems around the world. Unfortunately, cyber criminals took the advantage of this method to carry out cyber attacks against vulnerable computer users to lock their data up and hold it for a ransom. Another method, RSA, is known as an assymetric encryption system, works two different keys, which means that one is used for encryption, whereas the other key is used for encryption. These methods are no longer surprising to malware researchers, but the results of using them do surprise many affected computer users.

After encrypting all the files, the CryptoViki ransomware adds its extension .viki to the file name next to the existing extension. Next, the infection changes the desktop background with a warning asking the victim to find a .txt file containing more detailed information about the encryption and further actions. For these changes, the infections creates two files wallpaper.jpeg and readme.txt.

In the readme.txt file, the user is informed that all the files are encrypted and, to decipher, or decrypt them, it is necessary to contact the attackers, whose email address is cryptoviki@gmail.com, hence the name. Interestingly, no ransom fee is mentioned in the message. The same tactic has been used by the OnyonLock ransomware, whose owners set the ransom fee only when the victim contacts the attackers by email. No-one can guarantee that the cyber criminals behind the infection will respond to the payment with a decryption tool or key. It is very likely that such thing does not exist, which means that payment submission equals money wasting.

The ransom message does not provide information on the payment method, but the odds are that the attackers would demand for Bitcoins, a digital currency which is used anonymously without any centralized bank. A transaction is made to a digital wallet, the address of which is a long string of randomly generated digits and letters. Moreover, the name of the sender and receiver is not used. Bitcoins are becoming more and more popular among ransomware developers, and the profits made by these criminals are very often given in bitcoins alongside other currencies. The fact that this currency is chosen by cyber crooks does not mean that you cannot used bitcoins. Our point is that you should be careful with notifications requiring that you make a payment in a different currency to a questionable account.

Although the ransom warning lacks some common features expected by malware researchers, it is unique in its wording. More specifically, the text on the desktop wallpaper and in the .txt file is written in Russian and English, which suggests that this infection is targeted on Russian speaking computer users.

In order to regain access to your files, use your data back-ups, but first remove the OnyonLock ransomware from the computer. You can try removing the OnyonLock malware manually, which involves deleting recently downloaded files and its ransom warnings, or you can rely on our recommended security program which can terminate the infection and safeguard your PC against various malware and ransomware threats.